During the excellent Modern Endpoint Management summit in Paris, I was sitting in the equally excellent session from Florian Salzmann and one of the questions was if the Device bulk commands could send an on-demand remediation to multiple devices and the answer was no.
This gave me an idea so I built this script on the fly.
It will prompt to select a remediation and then select any devices, click OK and it will run that remediation against any and all devices selected.
Of course, it supports parameters and app registrations too.
You can grab it from GitHub here
Or PS Gallery Here:
Install-Script -Name bulk-run-remediation-ondemand
One of best script 🙂
How ever starting today we are struggling with issues not getting scrips. Any changes on mgraph maybe?
Checking if remediation set in parameters
Remediation not set, getting all remediations
Invoke-MgGraphRequest : GET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 96c922fe-8a70-4fb7-866f-dc80d2776b24
client-request-id: 30ce65f4-b2d2-4443-84f2-58b5f348d6b2
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Norway East”,”Slice”:”E”,”Ring”:”2″,”ScaleUnit”:”000″,”Role
Instance”:”OSL0EPF000060C3″}}
Date: Fri, 12 Sep 2025 11:51:30 GMT
Content-Type: application/json
{“error”:{“code”:”UnknownError”,”message”:”Application is not authorized to perform this operation. Applicati
on must have one of the following scopes: DeviceManagementScripts.Read.All, DeviceManagementScripts.ReadWrite
.All”,”innerError”:{“date”:”2025-09-12T11:51:31″,”request-id”:”96c922fe-8a70-4fb7-866f-dc80d2776b24″,”client-
request-id”:”30ce65f4-b2d2-4443-84f2-58b5f348d6b2″}}}
At line:173 char:22
+ … response = (Invoke-MgGraphRequest -uri $url -Method Get -OutputType P …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: GET, Re…58b5f348d6b2
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmd
lets.InvokeMgGraphRequest
Select remediation
Remediation selected
Checking if device set in parameters
No parameter set, grabbing devices
Select devices
Devices selected
Yes, a Graph update. Have just updated it 🙂
Magically good and fast response. Love your work 🙂
Is there any way of bulking importing the devices via a csv rather than selecting (rather painfully), multiple devices to remediate ?.
I’ve tinkered with the script but no luck so far.
Yes, around line 228,import the csv and loop through, passing the device Id for each item
I tried that with a CSV with the deviceid header by modifying 228
write-output “Checking if device set in parameters”
import-csv C:\temp\assets.csv
if ($deviceid) {
write-output “No parameter set, grabbing devices”
$devices = getdevicesandusers
The output of run shows
Checking if device set in parameters
deviceid
——–
7d01d3ef-7047-47f5-b835-60a721029884
544cccdd-8427-45ae-8d10-1fba677ae25e
Devices set from parameters
But the remediation doesn’t kick off at all despite that output which seems to suggest it picked up the deviceid from the CSV file.
You’re not looping through the Csv, look up a foreach loop
Very handy tool indeed!
Hi Andrew,
I got it working by adding “DeviceManagementManagedDevices.PrivilegedOperations.All” to the scope section of the script.
Thanks!
Thank you, added the scope in 1.0.2
Hi Andrew,
Thank you for providing this excellent tool! Would you be able to assist me with this error message?
Invoke-MgGraphRequest : POST
https://graph.microsoft.com/beta/deviceManagement/managedDevices(‘)/initiateOnDemandProactiveRemediation
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 559ee630-3368-4de7-9104-681ba62fe7b3
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US
2″,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”005″,”RoleInstance”:”BN2PEPF0000367D”}}
Date: Thu, 21 Dec 2023 16:44:26 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”Forbidden”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”Application is not authorized to
perform this operation. Application must have one of the following scopes:
DeviceManagementManagedDevices.PrivilegedOperations.All – Operation ID (for customer support):
00000000-0000-0000-0000-000000000000 – Activity ID: 559ee630-3368-4de7-9104-681ba62fe7b3 – Url:
https://fef.msua01.mana
ge.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘863e048b-7f04-4acc-8fdf-4ea9b791064
b’)/microsoft.management.services.api.initiateOnDemandProactiveRemediation?api-version=5023-09-09\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{
}\”\r\n}”,”innerError”:{“date”:”2023-12-21T16:44:26″,”request-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″,”client-reques
t-id”:”559ee630-3368-4de7-9104-681ba62fe7b3″}}}
At C:\bulk-run-remediation-ondemand.ps1:252 char:5
+ Invoke-MgGraphRequest -uri $url -Method Post -Body $json -Content …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.Invok
eMgGraphRequest